Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > Server Operation

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #21  
Old 15th June 2010, 04:57
djmixx07 djmixx07 is offline
Junior Member
 
Join Date: Mar 2010
Posts: 29
Thanks: 1
Thanked 0 Times in 0 Posts
Default

Hi Mark, thanks for helping me out. Just an update about my mail server problem. I noticed that my www-data is the one sending out ALOT of stuff which I think is spam. Dunno why it's doing that. I remembered before that someone was able to hijack our servers by installing Medusa. I immediately removed it, but I think it was too late because that was the time that all these mess started to happen..being blacklisted, server sending spam, etc. If I reinstall again, can you tell me what are the "security" that I need to ensure in my new installation so it won't happen again? Thanks in advance.
Reply With Quote
Sponsored Links
  #22  
Old 15th June 2010, 16:30
Mark_NL Mark_NL is offline
Senior Member
 
Join Date: Sep 2008
Location: The Netherlands
Posts: 912
Thanks: 12
Thanked 100 Times in 96 Posts
Default

If you follow the how-to you have a good base installation. After that you can install fail2ban, rkhunter and setup a cronjob to scan you drive with clamav on a daily/weekly base.
Reply With Quote
  #23  
Old 17th June 2010, 16:16
djmixx07 djmixx07 is offline
Junior Member
 
Join Date: Mar 2010
Posts: 29
Thanks: 1
Thanked 0 Times in 0 Posts
Default

i have reinstalled postfix, installed fail2ban, rkhunter, and amavisd-new. I am about to change the public IP of my server, but I'm afraid that I haven't solved the problem and how to prevent it from happening again. My current IP is still blacklisted so I can't test my new setup if it's working.

My question is, because I have determined that www-data@mydomain.com is sending spam. How can I fix this? Can I block it from sending mails or filter any outgoing mail that might be a spam?
Reply With Quote
  #24  
Old 17th June 2010, 16:38
Mark_NL Mark_NL is offline
Senior Member
 
Join Date: Sep 2008
Location: The Netherlands
Posts: 912
Thanks: 12
Thanked 100 Times in 96 Posts
Default

if your server is still sending out spam with www-data@mydomain.com .. then your machine is still compromised and you need to find out who/what is sending those mails .. it must be a process the is run through apache (www-data)

get your ip unbanned (most lists have a unban option), then switch ip, test and hf
Reply With Quote
  #25  
Old 18th June 2010, 09:41
djmixx07 djmixx07 is offline
Junior Member
 
Join Date: Mar 2010
Posts: 29
Thanks: 1
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by Mark_NL View Post
if your server is still sending out spam with www-data@mydomain.com .. then your machine is still compromised and you need to find out who/what is sending those mails .. it must be a process the is run through apache (www-data)

get your ip unbanned (most lists have a unban option), then switch ip, test and hf
That is my problem, I'm unable to determine who/what is sending those mails. Except for the fact that it's using my www-data to send spam. Do you have any ideas where to look and how to fix it? Thanks again for your help.
Reply With Quote
  #26  
Old 18th June 2010, 10:03
Mark_NL Mark_NL is offline
Senior Member
 
Join Date: Sep 2008
Location: The Netherlands
Posts: 912
Thanks: 12
Thanked 100 Times in 96 Posts
Default

with
Code:
ps flax
you can see running processes .. www-data = UID 33

It could be that there is running a cgi/php script that sends those mails .. you have to dig deeper to find the problem. if all else fails, pm me i can take a look at your machine if you want.
Reply With Quote
  #27  
Old 18th June 2010, 13:29
djmixx07 djmixx07 is offline
Junior Member
 
Join Date: Mar 2010
Posts: 29
Thanks: 1
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by Mark_NL View Post
with
Code:
ps flax
you can see running processes .. www-data = UID 33

It could be that there is running a cgi/php script that sends those mails .. you have to dig deeper to find the problem. if all else fails, pm me i can take a look at your machine if you want.
I have read one post here that is similar to my issue. It says that it could be a faulty contact form on our website. So what I did is remove that component from our site and monitor now what happens next. I requested a configuration to our DNS from our ISP, to be pointed to the new IP address that we will use. Crossing my fingers* Thanks again mark
Reply With Quote
  #28  
Old 18th June 2010, 13:57
Mark_NL Mark_NL is offline
Senior Member
 
Join Date: Sep 2008
Location: The Netherlands
Posts: 912
Thanks: 12
Thanked 100 Times in 96 Posts
 
Default

yep, a contact form is also a possibility, you can add a CAPTCHA code to the form to avoid bots abuse your form.

gl!
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Postfix problem and few questions Gimly Installation/Configuration 12 7th July 2009 17:27
Postfix + postfixadmin = SMTP errors... Rashef Server Operation 4 25th June 2009 17:12
just the last step...and it works. Postfix...need help config. ubuntusr Installation/Configuration 1 5th January 2009 10:50
Problem with dcc-client installation (Postfix) swap-as Installation/Configuration 9 18th September 2008 21:47
Core 4: Error Messages on Fresh Install re CTX/SSL jjw Installation/Configuration 30 6th September 2006 13:16


All times are GMT +2. The time now is 22:14.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.